The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2001-Mar> msg00129



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

RE: Questions about MPLS

  • From: "Tim A. Irwin" <tirwin@bellsouth.net>
  • Date: Sun, 18 Mar 2001 22:57:28 -0600
  • Importance: Normal
  • Resent-Date: Mon, 19 Mar 2001 01:26:44 -0500
  • To: "Ramin K" <mr_list@netzero.net>, <mpls-ops@mplsrc.com>

Ramin wrote:

> Moore's law cuts both way on encryption. Faster machines to crack with.
> Faster machines to do complicated crypto transforms with longer
> keys. Since
> key length increases the number of keys to check at a geometric rate and
> the encryption process gains a few cycles to do the encryption I'd argue
> that Moore's Law favors the encrypted barring any radically new
> mathematical techniques for attacking a particular scheme.
>
> Of course I've never written any programs that do encryption, so I'm
> guessing at the cycle increase involved in key length change. The
> fact that
> I can buy a box for 9k that can ipsec 100Mb/s of traffic this year and I
> couldn't 3 years ago makes me think it not much.

True, Moore's law does work both ways, but the crypto algorithms are also
increasing in strength at the same time *because of* Moore's Law.  So you're
always chasing the Holy Grail of sufficient processor power.

A couple of points to ponder though... which do you upgrade more frequently,
the processor in your router or the processor in your PC?  I don't think you
typically upgrade router processors as frequently.  My point is that routers
weren't designed to do computation as complex as crypto -- they were meant
to move packets between interfaces as fast as possible.  That's why most
vendors have gone to hw-based acceleration.

Which brings me back to the original point... whether or not IPsec is
scalable. Let me give an example... I have seen lots of customers build FR
hub-and-spoke topologies not because of the cost of the additional PVCs, not
because of the traffic patterns, and not because they didn't know how to
build a full mesh.  It's because a full-mesh of PVC's is a pain in the rear
to manage, and every time you add an end site, you have to touch every other
router in the mesh which increases the likelihood you will screw up
something in the process.   So when you start looking at multiple IPsec
tunnels terminating on a bunch of routers, it's the same thing all over
again.  Sure it's scalable for the SP, but it's not for the customer, both
from a performance standpoint (don't encrypt if you don't have to) and a
manageability standpoint.

Also, 100 Mb/s of IPsec isn't sufficient info to judge whether it's
scalable.  Performance will depend on the crypto algorithm -- 3DES has a LOT
more overhead than DES.  You also have overhead with IKE. And as I
previously stated, performance also depends on the number of tunnels.  1 DES
tunnel using 100 Mb/s of bandwidth is a lot less overhead than 1000 3DES
tunnels using 100 Mb/s of bandwidth.  Those are marketing numbers and I
usually don't trust them until I've tested it in the lab.

-Tim

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml